b'   October 12, 2004\n\n\n\n\nInformation Technology\nReporting of DoD Capital\nInvestments for Technology in\nSupport of the FY 2005 Budget\nSubmission\n(D-2005-002)\n\n\n\n\n              Department of Defense\n          Office of the Inspector General\nQuality               Integrity       Accountability\n\x0cAdditional Copies\nTo obtain additional copies of this report, visit the Web site of the Inspector\nGeneral of the Department of Defense at http://www.dodig.osd.mil/audit/reports or\ncontact the Secondary Reports Distribution Unit, Audit Followup and Technical\nSupport at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\nSuggestions for Future Audits\n\nTo suggest ideas for or to request future audits, contact Audit Followup and\nTechnical Support at (703) 604-8940 (DSN 664-8940) or fax (703) 604-8932.\nIdeas and requests can also be mailed to:\n\n                 ODIG-AUD (ATTN: AFTS Audit Suggestions)\n                 Inspector General of the Department of Defense\n                       400 Army Navy Drive (Room 801)\n                           Arlington, VA 22202-4704\n\x0c                           INSPECTOR GENERAL\n                          DEPARTMENT OF DEFENSE\n                             400 ARMY NAVY DRIVE\n                        ARLINGTON, VIRGINIA 22202-4704\n\n\n\n\n                                                                       October 12,2004\nMEMORANDUM FOR ASSISTANT SECRETARY DEFENSE (NETWORKS AND\n               INFORMATION INTEGRATION) I DOD CHIEF\n               INFORMATION OFFICER\nSUBJECT: Reporting of DoD Capital Investments for Technology in Support of the\n         FY 2005 Budget Submission (Report No. D-2005-002)\n\n        We provided a draft of this report on September 28,2004. No written response to\nthis report was required and none was received. Therefore, we are publishing this report\nin final form.\n        We appreciate the courtesies extended to the audit staff. For additional\ninformation on this report, please contact Ms. Kathryn M. Truex at (703) 604 8966 (DSN\n664-8966) or Mr. Robert L. Shaffer at (703) 604-9043 @SN 664-9043). See Appendix B\nfor the report distribution. The team members are listed inside the back cover.\n\n\n\n                                            M&L. ug&e\n                                   Assistant Inspector General for\n                               Acquisition and Technology Management\n\x0c         Office of the Inspector General of the Department of Defense\nReport No. D-2005-002                                                   October 12, 2004\n (Project No. D2004AL-0148)\n\n           Reporting of DoD Capital Investments for Technology\n              in Support of the FY 2005 Budget Submission\n\n                                Executive Summary\n\n\nWho Should Read This Report and Why? DoD managers preparing and certifying\ncapital investment justifications for information technology should read this report to\nimprove the quality of data being submitted by the Assistant Secretary of Defense\n(Networks and Information Integration) to the Office of Management and Budget and\nCongress.\n\nBackground. Information technology is a President\xe2\x80\x99s Management Agenda priority for\nexpanding electronic government. In addition, Congress has challenged the quality of\nDoD information technology management because information technology documents\nand associated budget data that DoD provided were inaccurate, misleading, or\nincomplete. In FY 2005, DoD submitted a budget request of $28.7 billion for\ninformation technology.\n\nResults. DoD Components did not adequately report information technology\ninvestments to the Office of Management and Budget in support of the DoD Budget\nRequest for FY 2005 because Component Chief Information Officers and Chief Financial\nOfficers did not always include required information in submitted reports. Specifically,\n76 of 174 (44 percent) Capital Investment Reports submitted to the Office of\nManagement and Budget in standard formats did not completely respond to one or more\nrequired data elements addressing security funding, certification and accreditation, and\ntraining and security plans. As a result, the quality of DoD security information reported\nto the Office of Management and Budget had limited value and did not demonstrate, in\naccordance with Office of Management and Budget and DoD guidance, that DoD was\neffectively managing its proposed information technology investment for FY 2005.\n\nIn response to prior audit reports by the Government Accountability Office and the\nOffice of the Inspector General of the Department of Defense, the Assistant Secretary of\nDefense (Networks and Information Integration) / DoD Chief Information Officer either\nconcurred or partially concurred with the recommendations and took actions that should\nimprove the quality of Capital Investment Reports submitted to the Office of\nManagement and Budget for FY 2006. Therefore, we made no recommendations.\n\x0cTable of Contents\n\nExecutive Summary                                      i\n\nBackground                                             1\n\nObjectives                                             2\n\nFinding\n     Completeness of DoD Capital Investment Reports    3\n\nAppendixes\n     A. Scope and Methodology                         10\n         Prior Coverage                               10\n     B. Report Distribution                           11\n\x0cBackground\n    DoD Components use information technology in a wide variety of mission\n    functions including finance, personnel management, computing and\n    communication infrastructure, logistics, intelligence, and command and control.\n    Information technology consists of any equipment or interconnected system or\n    subsystem of equipment that is used in the automatic acquisition, storage,\n    manipulation, management, movement, control, display, switching, interchange,\n    transmission, or reception of data or information. The President\xe2\x80\x99s Management\n    Agenda for expanding electronic government identified effective planning for\n    information technology investments as a priority. Improving information\n    technology security is one of the Office of Management and Budget\xe2\x80\x99s highest\n    priorities in information technology management. In addition, Congress has\n    challenged the quality of DoD information technology management because\n    information technology documents and associated budget data that DoD provided\n    were inaccurate, misleading, or incomplete. The Assistant Secretary of Defense\n    (Networks and Information Integration), as the Chief Information Officer, is the\n    principal staff assistant to the Secretary of Defense for DoD information\n    technology.\n\n    Public Law 107-347, Title III, \xe2\x80\x9cFederal Information Security Management Act of\n    2002,\xe2\x80\x9d December 17, 2002, requires agencies to address the adequacy and\n    effectiveness of information security policies and practices in plans and reports\n    relating to annual agency budgets.\n    Public Law 104-106, \xe2\x80\x9cNational Defense Authorization Act for Fiscal Year 1996,\xe2\x80\x9d\n    Division E, Information Technology Management Reform, February 10, 1996,\n    commonly called the \xe2\x80\x9cClinger-Cohen Act,\xe2\x80\x9d requires effective and efficient capital\n    planning processes for selecting, managing, and evaluating the results of all major\n    investments in information technology. The Act requires that executive agencies:\n\n           \xe2\x80\xa2   Establish goals for improving the efficiency and effectiveness of\n               agency operations through the effective use of information technology,\n\n           \xe2\x80\xa2   Prepare an annual report, to be included in the executive agency\xe2\x80\x99s\n               budget submission to Congress, on the progress in achieving the goals,\n\n           \xe2\x80\xa2   Prescribe performance measurements for information technology and\n               measure how well information technology supports agency programs,\n\n           \xe2\x80\xa2   Measure quantitatively agency process performance for cost, speed,\n               productivity, and quality against comparable processes and\n               organizations in the private and public sectors where they exist,\n\n           \xe2\x80\xa2   Analyze the missions of the executive agency and, based on the\n               analysis, revise the executive agency\xe2\x80\x99s mission-related processes and\n               administrative processes as appropriate before making significant\n               investments in information technology, and\n\n           \xe2\x80\xa2   Ensure that information security policies, procedures, and practices of\n               the executive agency are adequate.\n\n\n\n\n                                         1\n\x0c    DoD uses the Information Technology Management Application database to plan,\n    coordinate, and disseminate the DoD information technology budget that the\n    Office of Management and Budget and Congress require. The information\n    technology budget for FY 2005 totaled $28.7 billion and consisted of\n    1,176 different initiatives. DoD classified 172 of the initiatives as major\n    investments, which accounted for $13.1 billion (46 percent of the information\n    technology budget). The remaining 1,004 initiatives were minor investments and\n    totaled $15.6 billion.\n    Components must submit an Exhibit 300, \xe2\x80\x9cCapital Investment Report,\xe2\x80\x9d for all\n    major information technology investments. Major information technology\n    investments:\n\n           \xe2\x80\xa2   require special management attention because of their importance to\n               an agency\xe2\x80\x99s mission;\n\n           \xe2\x80\xa2   were included in the FY 2004 submission and are ongoing;\n\n           \xe2\x80\xa2   are for financial management and more than $500,000;\n\n           \xe2\x80\xa2   are directly tied to the top two layers of the Federal Enterprise\n               Architecture;\n\n           \xe2\x80\xa2   have significant program or policy implications;\n\n           \xe2\x80\xa2   have high executive visibility;\n\n           \xe2\x80\xa2   are defined as major investments by the agency\xe2\x80\x99s capital planning and\n               investment control process.\n\n    The Capital Investment Report is used by DoD management and the Office of\n    Management and Budget to show that the Component has employed the\n    disciplines of good project management, presented a strong business case for the\n    investment, and defined the proposed costs, schedule, and performance goals for\n    the investment if funding approval is obtained. When submitted, the Capital\n    Investment Report should be complete and accurate and provide all the\n    information that the Office of Management and Budget requires. In September\n    2003, DoD submitted 174 Capital Investment Reports for the FY 2005 budget\n    request to the Office of Management and Budget.\n\n\nObjectives\n    The overall audit objective was to verify and validate whether the Services and\n    DoD Components are adequately reporting information technology investments to\n    the Office of Management and Budget. Specifically, the audit determined\n    whether DoD Capital Investment Reports that were submitted in September 2003\n    for the Office of Management and Budget FY2005 reporting requirements\n    demonstrated that DoD is managing its information technology investments in\n    accordance with Office of Management and Budget and DoD guidance.\n\n\n\n                                         2\n\x0c            Completeness of DoD Capital Investment\n            Reports\n            DoD Components did not adequately report information technology\n            investments to the Office of Management and Budget in support of the\n            DoD Budget Request for FY 2005 because Component Chief Information\n            Officers and Chief Financial Officers did not always include the required\n            information in the reports that they submitted. Specifically, 76 of the\n            174 (44 percent) Capital Investment Reports submitted to the Office of\n            Management and Budget in September 2003 did not completely respond\n            to one or more required data elements in the Security and Privacy section.\n            As a result, the quality of DoD information reported on security to the\n            Office of Management and Budget had limited value and did not\n            demonstrate, in accordance with Office of Management and Budget and\n            DoD guidance, that DoD was effectively managing its proposed\n            $28.7 billion information technology investment for FY 2005.\n\n\nCriteria\n     Office of Management and Budget Circular A-11. Circular A-11,\n     \xe2\x80\x9cPreparation, Submission, and Execution of the Budget,\xe2\x80\x9d Part 7, Section 300,\n     \xe2\x80\x9cPlanning, Budgeting, Acquisition, and Management of Capital Assets,\xe2\x80\x9d July\n     2003, implements the Clinger-Cohen Act and establishes policy and procedures\n     for planning, budgeting, acquiring, and managing Federal capital assets.\n     Agencies are required to demonstrate to the Office of Management and Budget in\n     semi-annual reports that major information technology investments are directly\n     connected to agencies\xe2\x80\x99 strategic plans and provide a positive return on\n     investment, sound acquisition planning, comprehensive risk mitigation and\n     management planning, realistic cost and schedule goals, and measurable\n     performance benefits. For the DoD FY 2005 budget request, the Assistant\n     Secretary of Defense (Networks and Information Integration) / DoD Chief\n     Information Officer forwarded 174 Capital Investment Reports to the Office of\n     Management and Budget. The Capital Investment Report is the primary means of\n     justifying and managing information technology investments.\n\n     DoD Financial Management Regulation. The DoD Financial Management\n     Regulation, 7000.14-R, Volume 2B, Chapter 18, \xe2\x80\x9cInformation Technology\n     Resources and National Security Systems,\xe2\x80\x9d June 2002, requires all DoD\n     Components that have any resource obligations for information technology or\n     national security systems to prepare Capital Investment Reports, which are\n     mandated by Office of Management and Budget Circular A-11. The regulation\n     requires Component Chief Information Officers and Chief Financial Officers to\n     jointly certify that the Capital Investment Reports submitted are complete,\n     accurate, and consistent with the Clinger-Cohen Act, the Paperwork Reduction\n     Act, and other applicable acts and requirements.\n\n\n\n\n                                         3\n\x0cCapital Investment Reports to Office of Management and\n  Budget\n    The Information Technology Capital Investment Reports submitted for the\n    FY 2005 DoD budget request did not demonstrate that DoD was effectively and\n    efficiently managing information technology resources in accordance with the\n    Office of Management and Budget Circular A-11, July 2003. Our analysis\n    showed that 76 of the 174 (44 percent) of Capital Investment Reports that DoD\n    submitted to the Office of Management and Budget contained incomplete\n    information or did not provide the information that was required by Circular A-11\n    for one or more of the data elements in the Security and Privacy section.\n    Incomplete information was submitted in the data elements for security funding,\n    certification and accreditation, incident handling and reporting, security plans,\n    contractor security, security testing, security training, and the protection of\n    systems accessible to the public. In addition, we also reviewed Component\n    responses on whether they reviewed their investments during the FY 2003\n    Federal Information Security Management Act reporting process.\n\n    Security Funding. Circular A-11 requires Components to describe how security\n    is provided and funded and report the total dollars allocated for information\n    technology security for all investments in FY 2005. Fifty-three of the\n    174 submissions (30 percent) were incomplete. Thirty-four Components reported\n    security funding for FY 2004 rather than FY 2005. An additional 12 Components\n    reported that security funding for FY 2005 was unavailable. We were unable to\n    determine the amount of security funding for seven investments based on the\n    information given. Table 1 summarizes the incomplete information on security\n    funding that Components submitted.\n\n       Table 1. Incomplete Submissions for Security Funding by Component\n                                 Number of Incomplete\n           Component                Submissions                      Percent\n\n    Army                                24 of 44                        55\n    Navy                                 7 of 36                        19\n    Air Force                            2 of 24                         8\n    Defense agencies                    20 of 70                        28\n      Total                             53 of 174                       30\n\n    Certification and Accreditation. Circular A-11 reporting requirements require\n    Components to verify full certification and accreditation for investments, specify\n    the methodology used, and provide the date of the last certification and\n    accreditation review. Full certification and accreditation refers to investments\n    with authority to operate and excludes investments with interim authority to\n    operate. All information technology investments must be fully certified and\n    accredited before becoming operational. Anything short of full certification and\n    accreditation indicates that identified information technology security weaknesses\n\n\n                                        4\n\x0cremain. These weaknesses must be corrected before adequate funding for the\ninvestment can be justified. In 61 of the 174 submissions (35 percent), the\nCapital Investment Reports did not support full certification and accreditation.\nComponents included investments with interim authority to operate, investments\nwhere the certification and accreditation was in process, or the status of\ncertification and accreditation was unclear.\n\nOffice of Management and Budget Memorandum 03-19, \xe2\x80\x9cReporting Instructions\nfor the Federal Information Security Management Act and Updated Guidance on\nIT [Information Technology] Security Reporting,\xe2\x80\x9d August 6, 2003, requires\nFederal agencies to prepare and submit Plan of Action and Milestones documents\nfor all programs and systems with information technology security weaknesses.\nHowever, only 22 of the 61 investments had a Plan of Action and Milestones\ndocument. Twelve additional Capital Investment Reports did not contain the\ncertification and accreditation methodology used or the date of the last\ncertification and accreditation review. One Component reported that the question\non certification and accreditation was not applicable because the investment,\n\xe2\x80\x9cCommon Operating Environment,\xe2\x80\x9d was not a system, it is a collection of\nsoftware components that are integrated into mission applications and command\nand control systems. The Component stated that systems that use the software\ncomponents of the \xe2\x80\x9cCommon Operating Environment\xe2\x80\x9d are taken through the\ncertification and accreditation process by the organization owning the system.\nWe believe that the question does apply to the Component. DoD Instruction\n5200.40, \xe2\x80\x9cDoD Information Technology Security Certification and Accreditation\nProcess,\xe2\x80\x9d December 30, 1997 paragraph E3.4.3.3.2, clearly describes the software\ndesign certification task and states that the task may include a detailed analysis of\nsoftware specifications and software design documentation. Table 2 summarizes\nthe 73 Capital Investment Reports, by Component, of submissions that were\nincomplete or did not support full certification and accreditation.\n\n    Table 2. Inadequate Certification and Accreditation Submissions by\n                                Component\n\n                              Number of Incomplete\n       Component                 Submissions                        Percent\nArmy                                22    of 44                       50\nNavy                                20    of 36                       56\nAir Force                            8    of 24                       33\nDefense agencies                    23     of 70                      33\n Total                              73     of 174                     42\n\nIncident Handling and Reporting. Circular A-11 requires Components to\nreport on how incident-handling capability has been incorporated into the system\nor investment and to include a summary of intrusion detection monitoring and\naudit log reviews. Circular A-11 also requires Components to report incidents to\nthe Department of Homeland Security\xe2\x80\x99s Federal Computer Incident Response\nCenter. Thirteen of the 174 (7 percent) Capital Investment Reports did not\naddress all of the required elements, including intrusion detection monitoring and\naudit log reviews. In two submissions, the Component reported that the\n\n\n\n                                      5\n\x0cinvestment was a new start and that the security requirements were being\ndeveloped.\n\nSecurity Plans. Circular A-11 requires Components to report whether the\ninvestments have an updated security plan and provide the date of the plan. A\nreference to security plans or other documents is not an acceptable response.\nFourteen of the 174 (8 percent) Capital Investment Reports did not provide the\ndate of the security plan, did not indicate that an updated security plan was\navailable, or stated that the requirement was not applicable. Reasons provided for\nthe security plan not being applicable included:\n\n       \xe2\x80\xa2   The contract has not been awarded, but all required security issues\n           would be addressed and the re-hosted system would contain all the\n           security features that are currently available in the system.\n\n       \xe2\x80\xa2   The program did not process any information or data; it provided an\n           infrastructure to house computers and radios used in Army command\n           posts.\n\nWe do not consider those answers responsive to the question on security plans.\nCircular A-11 clearly states that all information technology investments must\nhave up-to-date security plans.\n\nContractor Security. Circular A-11 requires Components to report whether the\ncontractor operated the system on site or at a contractor facility and whether the\ncontract includes specific security requirements required by law and policy.\nCircular A-11 also requires Components to describe how contractor security\nprocedures are monitored, verified, and validated. Ten of the 174 (6 percent)\nCapital Investment Reports did not completely address all the elements for this\narea. Component responses stated that the investment was not a system, that the\nrequirement did not apply, or that new start authority was pending. In other\nsubmissions, the responses were too general to be useful. Examples of the\ncomplete answers that were too general were:\n\n       \xe2\x80\xa2       \xe2\x80\x9cAny contractors undergo background evaluations.\xe2\x80\x9d\n       \xe2\x80\xa2       \xe2\x80\x9cBy sites security administrator.\xe2\x80\x9d\n       \xe2\x80\xa2       \xe2\x80\x9cYes, security investigation of contractors is required, bound by\n                same access rules as Government employees.\xe2\x80\x9d\n\nSecurity Testing. Circular A-11 requires Components to report on whether\nmanagement, operational, and technical security controls have been tested for\neffectiveness. Circular A-11 also requires the Components to provide the date of\nthe most recent tests. Eleven of the 174 (6 percent) Capital Investment Reports\ndid not contain the required information for this area. Six Components failed to\ninclude the date of the most recent tests. Five Components stated that the\ninvestment was not a system and did not provide the requested information.\n\nSecurity Training. Circular A-11 requires Components to provide information\non user training in the past year. Five of 174 (3 percent) Capital Investment\n\n\n\n                                     6\n\x0c     Reports did not clearly show that the users were appropriately trained during the\n     past year or that the requirement was not applicable.\n\n     Protection of Systems with Public Access. Circular A-11 requires Components\n     to report on how agencies ensure effective use of security controls and\n     authentication tools to protect privacy for systems that promote or permit public\n     access. Three of the 174 (2 percent) Capital Investment Reports stated that this\n     program is pending new start authority, security requirements were being\n     identified within the architecture products, or that the requirement was not\n     applicable.\n\n     Federal Information Security Management Act. Circular A-11 requires\n     Components to report whether they reviewed investments as part of the\n     FY 2003 Federal Information Security Management Act reporting process,\n     whether the review indicated any weaknesses, and whether the weaknesses were\n     included in the corrective action plan. Our review of the 174 Capital Investment\n     Reports showed that 83 (48 percent) investments were included as part of the\n     review. Thirteen of the 83 reports indicated weaknesses were found and\n     incorporated into an agency corrective action plan. Office of Management and\n     Budget Memorandum 03-19, \xe2\x80\x9cReporting Instructions for the Federal Information\n     Security Management Act and Updated Guidance on IT [Information\n     Technology] Security Reporting,\xe2\x80\x9d August 6, 2003, requires Federal agencies to\n     prepare and submit Plan of Action and Milestones documents for all programs\n     and systems with any information technology security weakness. However, only\n     3 of the 13 reports that indicated weaknesses had a Plan of Action and Milestones\n     document. In addition, two of the Capital Investment Reports did not answer the\n     question.\n\n\nEffect of Inadequate Capital Investment Reports\n     The quality of DoD information reported on security to the Office of Management\n     and Budget had limited value because it did not demonstrate, in accordance with\n     Office of Management and Budget and DoD guidance, that DoD was effectively\n     managing its $28.7 billion information technology investment for FY 2005.\n     Although Capital Investment Reports are officially submitted to the Office of\n     Management and Budget twice yearly, Components should use them as\n     management tools and update the reports as the information becomes available.\n     Information reported on Capital Investment Reports helps management ensure\n     that spending on capital assets directly supports an agency\xe2\x80\x99s mission and will\n     provide a return on investment equal to or better than alternative uses of funding.\n     Submission of incomplete reports jeopardizes appropriate funding and diminishes\n     the overall usefulness of Capital Investment Reports.\n\n\nManagement Actions Taken on Previous Audits and During\n this Audit\n     The Congress, the Government Accountability Office (formerly, the General\n     Accounting Office), and the Inspector General of the Department of Defense have\n     questioned the quality, accuracy, and completeness of DoD budget submissions.\n\n\n                                          7\n\x0cHowever, the Assistant Secretary of Defense (Networks and Information\nIntegration) / DoD Chief Information Officer has taken action that should\nimprove the quality of future Capital Investment Reports submitted to the Office\nof Management and Budget.\nCongressional Interest. In the past, the House Committee on Armed Services\nhas challenged the quality of DoD information technology management. The\nCommittee noted that DoD information technology documents provided to the\nCommittee describing the various information technology initiatives and\nassociated budget data were inaccurate, misleading, or incomplete.\nGovernment Accountability Office. The Government Accountability Office\nassessed the funding information in the DoD Information Technology Budget\nSummary to determine the reliability of the DoD FY 2004 budget submission for\ninformation technology. Audit Report GAO-04-115, \xe2\x80\x9cImprovements Needed in\nthe Reliability of Defense Budget Submissions,\xe2\x80\x9d December 19, 2003, found that\nthe FY 2004 information technology budget submission contained material\ninconsistencies, inaccuracies, or omissions that limited its reliability. The report\nmade eight recommendations to improve the reliability of future budget\nsubmissions and raise the level of management attention on improving reliability\nand strengthening the management processes and supporting systems. In\nresponse to the report\xe2\x80\x99s recommendations, the Assistant Secretary of Defense\n(Networks and Information Integration) / DoD Chief Information Officer agreed\nor partially agreed with the recommendations and described actions that his office\nwould take to establish the appropriate controls and systems needed to correct\nmany of the weakness described in the report.\nInspector General of the Department of Defense. The Office of the Inspector\nGeneral of the Department of Defense assessed the \xe2\x80\x9cReporting of DoD Capital\nInvestments for Information Technology,\xe2\x80\x9d May 7, 2004 (Report No. D2004-081).\nThe report determined that DoD Capital Investment Reports submitted to the\nOffice of Management and Budget and Congress for information technology\nassets did not consistently demonstrate that information supporting the budget\njustifications was directly connected to the DoD strategic plan and would provide\na positive return on investment, sound acquisition planning, comprehensive risk\nmitigation and management planning, realistic cost and schedule goals, and\nmeasurable performance benefits. In response to the report\xe2\x80\x99s recommendations,\nthe Assistant Secretary of Defense (Networks and Information Integration) / Chief\nInformation Officer revised the DoD Financial Management Regulation to make\nDoD financial officers more accountable for submitted data. The revised\nguidance augmented compliance with the Clinger-Cohen Act and Office of\nManagement Budget Circular A-11 requirements.\n\nStatus Meetings. The Director of Resources, Assistant Secretary of Defense\n(Networks and Information Integration) / DoD Chief Information Officer held\nnumerous meetings with officials of the Services and Defense agencies who were\nresponsible for preparing and submitting the FY 2006 DoD information\ntechnology Capital Investment Reports and other associated budget data in an\neffort to clarify the Office of Management and Budget guidance and improve the\nquality of Capital Investment Reports submitted.\n\nSubmission Process Changes. On July 19, 2004, the Assistant Secretary of\nDefense (Networks and Information Integration) / DoD Chief Information Officer\n\n\n                                     8\n\x0c    issued policy and guidance for completing and submitting the FY 2006 Capital\n    Investment Reports. Starting with the FY 2006 Exhibit 300 submissions, the\n    Director of Resources, Office of the Assistant Secretary of Defense (Networks\n    and Information Integration) / Chief Information Officer plans to score all\n    submissions using an established self-assessment process. The Director will also\n    inform DoD Components of required revisions before forwarding them to the\n    Office of Management and Budget. When implemented, those actions should\n    further improve the quality of Capital Investment Reports submitted to the Office\n    of Management and Budget.\n\n\nConclusion\n    The quality of security information reported to the Office of Management and\n    Budget for FY 2005 did not consistently demonstrate that Components were\n    effectively managing information technology capital assets. Although reasonable\n    explanations existed for some missing and incomplete data, this rationale could\n    not be applied systemically for the majority of missing or incomplete information\n    responses. Actions taken by the Assistant Secretary of Defense (Networks and\n    Information Integration) / DoD Chief Information Officer in response to audit\n    reports by the Government Accountability Office and the Office of the Inspector\n    General should improve the quality of the Capital Investment Reports submitted\n    to the Office of Management and Budget for FY 2006. Therefore, we are not\n    making any recommendations.\n\n\n\n\n                                        9\n\x0cAppendix A. Scope and Methodology\n    We examined all 174 Capital Investment Reports that DoD submitted to the\n    Office of Management and Budget for the FY 2005 DoD Budget Request. We\n    limited our review to evaluating the responses in the data elements of security\n    funding, certification and accreditation, incident handling and reporting, security\n    plans, contractor security, security testing, security training, and protection of\n    systems accessible to the public. We also reviewed Component responses on\n    whether investments were reviewed during the FY 2003 Federal Information\n    Security Management Act reporting process. We evaluated the reporting process\n    and the completeness of information for each report based on report preparation\n    guidance from Office of Management and Budget Circular A-11, Part 7,\n    \xe2\x80\x9cPlanning, Budgeting, Acquisition, and Management of Capital Assets,\xe2\x80\x9d July\n    2003, and the DoD Financial Management Regulation 7000.14-R, Volume 2B,\n    Chapter 18, \xe2\x80\x9cInformation Technology Resources and National Security Systems,\xe2\x80\x9d\n    June 2002. We also reviewed relevant documents addressing report submissions\n    from February 1996 through July 2004.\n\n    We attended meeting with officials who were responsible for preparing and\n    submitting DoD information technology Capital Investment Reports and other\n    associated budget data within the Services and Defense agencies to gain an\n    overall understanding of the information technology budget process.\n\n    This audit was performed from April 2004 through September 2004 in accordance\n    with generally accepted government auditing standards. The management control\n    program was not an announced audit objective because it was reviewed and\n    reported upon in Inspector General Report Number D-2004-081.\n\n    Use of Computer-Processed Data. We did not use computer processed data to\n    perform this audit.\n\n    Use of Technical Assistance. We did not use technical assistance to perform this\n    audit.\n\n    Government Accountancy Office High-Risk Area. The General Accounting\n    Office has identified several high-risk areas in DoD. This report provides\n    coverage of DoD Information Technology management.\n\n\nPrior Coverage\n    GAO Report Number GAO-04-115, \xe2\x80\x9cImprovements Needed in the Reliability of\n    Defense Budget Submissions,\xe2\x80\x9d December 19, 2003\n\n    Inspector General Report Number D-2004-081, \xe2\x80\x9cReporting of DoD Capital\n    Investments for Information Technology, May 7, 2004\n\n\n\n\n                                        10\n\x0cAppendix B. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\nAssistant Secretary of Defense (Networks and Information Integration) / DoD Chief\n   Information Officer\nDirector, Program Analysis and Evaluation\n\nJoint Staff\nDirector, Joint Staff\n\nDepartment of the Army\nAssistant Secretary of the Army (Financial Management and Comptroller)\nChief Information Officer, Department of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nAssistant Secretary of the Navy (Financial Management and Comptroller)\nChief Information Officer, Department of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nChief Information Officer, Department of the Air Force\nAuditor General, Department of the Air Force\n\nOther Defense Organizations\nDirector, Defense Finance and Accounting Service\nDirector, Defense Information Systems Agency\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\n\n\n\n                                          11\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency and Financial Management, Committee\n  on Government Reform\nHouse Subcommittee on National Security, Emerging Threats, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology, Information Policy, Intergovernmental Relations,\n  and the Census, Committee on Government Reform\n\n\n\n\n                                        12\n\x0cTeam Members\nThe Office of the Deputy Inspector General for Auditing of the Department of\nDefense, Acquisition and Technology Management prepared this report.\nPersonnel of the Office of the Inspector General of the Department of Defense\nwho contributed to the report are listed below.\n\nMary L. Ugone\nKathryn M. Truex\nRobert L. Shaffer\nGeorge A. Leighton\nRobert R. Johnson\nJacqueline N. Pugh\n\x0c'